Introduction
Following up on my promise and continuing this mini-series of blog post, where I’m trying to address some of the basics of Configuration Manager. This time, I’m going to give you an example of how you can to add computers to groups in AD (Active Directory) during the deployment of Windows using a web service and Powershell.
Web Service
As mentioned, this is based on using a web service. There are other options as well, but I recommend using a web service due to various factors, and in general, a web service extends the functionality of OSD considerably. It might seem scary to someone, but its actually really easy to put to use. Below are the details:
- First of all, you obviously need the web service installed and functional. My example is based on Nickolaj Andersen’s web service. The installation is well documented alongside the download: http://www.scconfigmgr.com/configmgr-webservice/
- The installation is literally next, next, next and done
Once the web service has been installed, the prerequisite for this option is to grant the service account access (the identity account), to allow modifying group memberships in Active Directory.
Taking a closer look at the Advanced Settings of the ConfigMgrWebService Application Pool will reveal the account used (in case you didn’t do the installation yourself, or somehow forgot which user that’s running the web service). See below.
Active Directory
- To give the account access to modify group memberships in Active Directory, right click on the OU where the group you plan on adding computers reside and select Delegate Control
- Add the account as shown below
- Delegate the Modify the membership of a group permissions and finish the wizard
Powershell
Nickolaj is kind enough to provide us with some Powershell samples included in the web service. I have made some minor changes allowing the computer to be added to several groups. Copy/paste the script below or make your own edition if needed.
- Insert your own SecretKet from the web service
- Modify groups to suit your needs
- Insert your own URL to the web service
# Variables $SecretKey = "c45bc9-02f4-4202-bc6d-6d0b2c360c" $ADGroupName1 = "Intune_Co-mgmt_Computers" $ADGroupName2 = "DirectAccessClients" # Construct TSEnvironment object try { $TSEnvironment = New-Object -ComObject Microsoft.SMS.TSEnvironment -ErrorAction Stop } catch [System.Exception] { Write-Warning -Message "Unable to construct Microsoft.SMS.TSEnvironment object" ; exit 3 } # Get OSDComputerName variable value $OSDComputerName = $TSEnvironment.Value("OSDComputerName") # Construct web service proxy try { $URI = "http://YOURSERVER/ConfigMgrWebService/ConfigMgr.asmx" $WebService = New-WebServiceProxy -Uri $URI -ErrorAction Stop } catch [System.Exception] { Write-Warning -Message "An error occured while attempting to calling web service. Error message: $($_.Exception.Message)" ; exit 2 } # Add computer to groups $Invocation1 = $WebService.AddADComputerToGroup($SecretKey, $ADGroupName1, $OSDComputerName) $Invocation2 = $WebService.AddADComputerToGroup($SecretKey, $ADGroupName2, $OSDComputerName) if (($Invocation1 -eq "True") -and ($Invocation2 -eq "True")) { exit 0 } else { exit 1 }
Task Sequence
Put everything to use in your task sequence. Below illustrates the use in one of my task sequences.
Enjoy 🙂
Thanks for the blog post, Martin.
Is it possible to pass the ADGroups as paramters in the task sequence step instead of hardcoding the information in the powershell script? Goal would be to have only one script, but different parameters based on TSvariables?